Deleting collections with special characters doesn't work
bfritscher opened this issue · 1 comments
Description
If I create a collection with a "+" in the name I can no longer interact with it. In Api call which use the collection name in the URL part.
It looks as if there is no escaping happening when building URLs for the typesense API
Does the user of this library need to escape the collection name before using the api and make assumption about the underlaying workings of the api?
Steps to reproduce
- Add a collection named "foo+bar" with a a dummy field
- Try to delete the collection
Expected Behavior
- is urlencoded to make api call work
Actual Behavior
String is used as is and server receives "foo bar"
Metadata
Typesense-js Version: 1.7.2
Reported via bfritscher/typesense-dashboard#44
Same with #
which opens up malicious actors to deleting unauthorised rows when combined with badly designed IDs/validation.
In fact, one could delete an entire collection just by starting the document ID with a hash.